BLOG

A brief DMARC primer

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. What DMARC does is allow domain owners to publish policy statements in DNS telling receiver domains what to do with messages that do not authenticate. In addition, DMARC introduces the concept of “domain alignment.” What this means is that the authentication has to be from the same domain (or a sub-domain) as the address in the header-from: line. The idea behind DMARC is that organizational owners can use SPF and DKIM authentication to authenticate their actual domain in the header-from line. This moves authentication from a important but behind the scenes technology out to an end user visible technology.

What does alignment mean?

Alignment means that the authenticating domain is related to the domain in the header-from address. There are two kinds of alignment: strict and relaxed. Strict alignment means that the domains are identical, relaxed alignment  means that the domains are subdomains of one another.

It’s probably easiest to look at example  headers.

In this example we can see a few different things. Visible headers shown in the mail DKIM-alignedclient are in black, headers not normally shown in the client are shown in blue. Highlighted we have the header-from address and the d= value. Both these values are identical, meaning the message passes DMARC with strict alignment. If the header-from was @nfcu.org and d=response.nfcu.org that would pass DMARC with relaxed alignment.

Shouldn’t all mail align?

Not necessarily. In this other example, we see a header-from of @mncompanionrabbit.org but authentication coming from Constant Contact. DKIM-not-aligned Perfectly legitimate use of the email address in a newsletter, but there is no DMARC alignment as is. Could they create a DMARC alignment? Sure, by signing with a d=mncompanionrabbit.org or by publishing a SPF text record containing Constant Contact’s IP addresses. But there’s not a lot of reason to do that as far as I can see.

Why bring this up now?

Yahoo has recently started publishing a DMARC record with p=reject. This means ISPs checking DMARC records (like yahoo, hotmail, and gmail) and following p= recommendations are now bouncing mail from @yahoo.com addresses that is not sent through Yahoo servers (SPF alignment) or signed with a Yahoo DKIM key (DKIM alignment). This means mail from Yahoo users not using the Yahoo outbound SMTP servers. This is affecting a couple different kinds of Yahoo users, making mail bounce.

Why would Yahoo do this?

There’s been an ongoing attack against Yahoo users attempting to compromise their accounts and then send email from that Yahoo user to their contacts. Yahoo has managed to block this spam coming out through Yahoo’s servers. The attackers have modified their attacks and are now sending mail from Yahoo users to their contacts through other servers. By publishing a p=reject record, Yahoo is telling other systems to not accept mail from Yahoo users if it doesn’t come through Yahoo controlled servers. This includes the mail from the attackers, but also mail from regular Yahoo users that use another SMTP server, including bulk mail sent through ESPs, and individual mail sent to mailing lists.

Will Yahoo change their DMARC record back?

It’s unclear. One of the other features of DMARC is that receivers can report back to senders when there is an authentication failure. Yahoo has these reports so they know exactly how much email is affected by this setting of p=reject. It could be this is a temporary measure until the attackers move on. But this may be a longer term setting because the attacks may be ongoing.

Can I just tell someone to whitelist my mail?

No. This is not an actual block. Mail is being rejected because Yahoo is saying that other companies should reject mail from @yahoo.com addresses that doesn’t come from Yahoo’s servers.

This breaks everything! Who can fix this?

The only people who can change this are Yahoo, no one else is responsible for this. The correct place to complain is support@yahoo. Gmail, Hotmail, anyone else following DMARC, nor the folks at dmarc.org can help you. You need to talk to Yahoo.

What can I do to send mail?

Right now the only way to send mail from @yahoo.com addresses to domains checking DMARC is to send mail using the Yahoo SMTP servers. You can do this by using the web interface, or by using the Yahoo SMTP server to send outbound mail. The only real fix for bulk mail through an ESP is to change your header-from address to something that isn’t Yahoo. I’d also suggest avoiding other free mail domains (like gmail and hotmail).

 

43 comments

  1. Tobias Herkula says

    Are you saying that it’s Yahoo’s fault, if something breaks now? If somebody uses a domain that does not belongs to them, why would the domain owner be responsible if something breaks?

    1. laura says

      What I’m saying is that many people use Yahoo email addresses legitimately, without using the Yahoo outbound mail servers. Yahoo publishing a p=reject breaks those uses.

      If, for instance, Yahoo had previously published a TOS that says ‘the only mail you can send with @yahoo.com has to be sent through our interface’ that would be one thing. This change just enforces that bit of the TOS. But that’s not what yahoo has done. Instead, they started publishing a policy that is going to break a lot of things for their users. Yes, ESP mail is one of them, but mailing list mail is another.

      For Yahoo (and other mailbox providers) there’s never before been the idea that you HAVE to use that email address only to send mail through that mailbox provider. This is really a change in how Yahoo expects their users to use email and I’m not sure it’s a good choice.

  2. Eric S. Smith says

    Spammers ruin everything. These days, we have to assume that mail claiming to come from Yahoo that’s not originating from a Yahoo server is forged spam.

  3. Roberta Cottrell says

    I’m totally confused. Does this mean that the email I thought I was sending from Mad Mimi is actually going through my Yahoo?

  4. Mohammed Ahmed says

    Laura,

    Just an fyi…We just checked and it seems to me that problem is only with yahoo.com address but not with ymail, rocketmail etc.

    1. laura says

      Yup, it is only yahoo.com that has the p=reject message. Other yahoo domains (including some of the regional ones) still have p=none.

  5. What Yahoo's new DMARC Validation Changes Mean for Email Marketers - Mad Mimi Email Marketing Blog says

    […] Word to the Wise has a fantastic and in-depth article about this, right here. […]

  6. Using Yahoo? New Changes Will Impact Your Email Deliverability says

    […] to WordToTheWise, “there’s been an ongoing attack against Yahoo users attempting to compromise their accounts […]

  7. Don’t use a Yahoo email address as your “From” | ActiveCampaign Email Marketing Blog says

    […] Learn more about DMARC and the Yahoo changes […]

  8. Ray Novak says

    My thought was to modify my ‘from’ header to look like this:

    From: “Joe Blow (joeblow@yahoo.com)”

    So the real ‘from’ is my domain, but the name for display in the mail client ui shows the name and email for the message author. Do you suppose this would work?

  9. Email Senders Stymied By Yahoo's Adoption Of Anti-Spoofing Measure says

    […] used with permission of Laura Tessmer Atkins, co-founder of the Word To The Wise email consulting […]

  10. Want to Get Your Emails Delivered? Fix This Today - SkyOffice Consulting | SkyOffice Consulting says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  11. ERIN says

    I am so befuddled. I use the (Telstra) Bigpond service for my email. I use Outlook set with in as pop.mail.yahoo.com and out as mail.bigpond.com. I am unable to send anything successfully now with everything coming back with the error talked about. I use a Yahoo email address. Does this mean that I would have to use Tahoo as out server for it to work? I (stupid) don’t understand how that would function if my mail service is Bigpond? Sorry but apart from my ever growing dismay at Yahoo I don’t really understand this and in the end does it mean I cannot use Yahoo with Bigpond ?
    Desperate Dan of Australia
    PS : I have “tried” to communicate with Yahoo – ho hum

    1. laura says

      If you set your out mail server as smtp.mail.yahoo.com with your Yahoo credentials that should fix the problem. If you’re using a Yahoo.com email address, then you must use Yahoo’s outbound server in order for DMARC to align and for the receiving servers not to reject the mail.

      The other alternative is to stop using Yahoo as your email address.

  12. Craig Spiezle says

    Thanks for providing insight. While DMARC is very simple, we continue to see alignment issues. Second it is perplexing to see how few of the top 1,000 consumer brands are not authenticating at the TLD vs delegate sub domains. This does little to protect consumers. Join OTA and instructors from Agari and ReturnPath on April 29 in Wash DC for a full-day training. More info at https://www.eventbrite.com/e/email-security-integrity-authentication-dmarc-training-registration-10943543433

  13. Yahoo Changes May Affect Your Deliverability - SkyOffice Consulting | SkyOffice Consulting says

    […] Why is this happening? In an attempt to stop fraudulent emails, Yahoo changed its DMARC authentication policy to reject emails that claim to come from yahoo.com but actually originate at non-Yahoo servers. For more information on the DMARC authentication protocol, check out this DMARC primer from Laura Atkins at Word to the Wise. […]

  14. Changes to Yahoo email and email marketing effects says

    […] Click here for a brief DMARC primer […]

  15. Bill Watkins says

    Laura,
    Laura,

    In checking for latest updates I see an April 8th update from Yahoo at:

    https://help.yahoo.com/kb/mail/SLN7253.html?impressions=true

    mentioning:
    DMARC
    The latest authentication test that Yahoo has incorporated, DMARC, performs the following checks:

    “From” address should map to the same signing domain
    Mail from a domain should match the domain in the “From” header
    Here’s an example of a DMARC record:

    v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc.report@yourdomain.com

    In this example, Yahoo will quarantine emails that fail DKIM and SPF for yourdomain.com, and similar emails for sub-domains from yourdomain.com will be rejected. The aggregate report will be mailed to dmarc.report@yourdomain.

    There current post shows a ‘P=quarantine’ and not the previous ‘p=reject’

    Is this a change/update from their previous stance with this past weekend ‘reject’ update ?

    Best Regards,

    Bill Watkins-
    Application Analyst
    ScholarOne – Thomson Reuters
    Charlottesville, Virginia

    1. laura says

      I just checked here and they are currently publishing a p=reject. I’m guessing their website is outdated.

      Wait. I just re-read your comment. That website is just explaining what a DMARC record is. That’s not actually Yahoo’s record. Yahoo’s record looks like this:

      $ dig _dmarc.yahoo.com TXT
      ;; ANSWER SECTION:
      _dmarc.yahoo.com. 1268 IN TXT “v=DMARC1\; p=reject\; sp=none\; pct=100\; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com\;”
      ;; Query time: 5 msec
      ;; SERVER: 192.168.80.1#53(192.168.80.1)
      ;; WHEN: Thu Apr 10 14:20:00 2014
      ;; MSG SIZE rcvd: 360

      1. Bill Watkins says

        Thanks Laura,

        I just checked also and still saw the p=reject. Wishing it wasn’t true however.

        Best Regards,

        Bill Watkins –

  16. How To Fix Your Email Delivery Problem | Sigan Corporation says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  17. Dutchstartupblog: All startups from Holland in one map says

    […] Why is this happening? In an attempt to stop fraudulent emails, Yahoo changed its DMARC authentication policy to reject emails that claim to come from yahoo.com but actually originate at non-Yahoo servers. For more information on the DMARC authentication protocol, check out this DMARC primer from Laura Atkins at Word to the Wise. […]

  18. Sherrick Murdoff says

    This enormous pain, and the severe lack of communication, has caused me to drop Yahoo after 15 yrs. Way to go Yahoo.

  19. charlene says

    Well this just stinks and I knew this day would come! Wish I had already switched over to my own email address.

  20. Lyle Brooks says

    This policy is a huge LOSER!!!

    I run a few mailing lists and it breaks everything. Not only does it block any posting from Yahoo users to anyone else….but then it creates hundreds of bounce messages back to the server. These same Yahoo users don’t see their postings….and not knowing why….they post again, which gets blocked….and generates still more bounces.

    After so many bounces the mailing list software thinks these subscribers are stale, so it starts to unsubscribe not just the Yahoo users, but also most of the other users who have accounts on DMARC compliant servers.

    This is one of the most amazing self-inflicted Denial-Of-Service attacks one can witness.

  21. Tim McGraw says

    I just ran up against this as a Comcast customer who operates some email lists, and while I believe it is fine for free email providers to apply whatever rules they wish on their servers, I *pay* Comcast for email service and I have had some complaints from correspondents that their emails have been rejected with DMARC error codes.

    Comcast doesn’t even publish a DMARC record (https://dmarcian.com/dmarc-inspector/comcast.net) and specifies 12 authorized netblocks for SPF when the maximum allowed is 10 (https://dmarcian.com/spf-survey/comcast.net). How is this even close to best practices?

    If I want to receive all my messages, I feel that it’s not Comcast business to decide what I can receive. What’s next, blocking phone calls?

  22. j j toydemir says

    I have a yahoo mailbox and it’s caused me to pull my flaming hair out on many occasions Yes, there is a Yahoo support (fyi it is outsourced). A couple months ago, they dumped and blocked all my outgoing mail I contacted them (short version) and they wanted me to pay $199.00 to fix their problem. Further, they shortly thereafter began daily filling my “spam” with an amazing 100-200 emails. And, believe me, those emails were sure tommy-rot!

    Thank you for Word to the Wise and you can be sure I am more than willing to share this information I’ve read here.

  23. Rick says

    Very good post.
    Won’t this cause spammers to switch their forged From addresses to gmail, hotmail, etc. – and therefore cause the other leading email providers to also invoke DMARC?

  24. Sending From a Web-Hosted Email Address May Bounce Your Email Marketing, Web Inquiries | Sally U: Business, Marketing, Tech & Social Media says

    […] emails. This is due to a new Domain-based Message Authentication, Reporting and Conformance or “DMARC” authentication policy these mail receivers […]

  25. Jacob says

    When I logged on to Yahoo mail that should be considered sending email from Yahoo server, isn’t it? So why email to some Gmail addresses are delivered but others are rejected with DMARC message (also Gmail adresses)? How do I solve this problem?

    1. laura says

      You should contact Yahoo support to troubleshoot the problem. There’s nothing any of us can actually do to help you.

  26. Dave says

    This has very suddenly become a real problem with mailing lists. I’m not directly affected (as a sender) because I have my own domain and leave it as unrestricted as possible (because like Tim, above, I want the decisions to be mine, not of some robot with no brain).

    Nevertheless, I suspect I’m not receiving some mail from mailing lists because of this issue. In fact, it was brought to my attention by the administrator of one such list. It would be nice if someone would publish — in plain English — what mailing list administrators need to do. Speaking as a user, I want to see who originated a message, not that it’s coming from a certain list server (which I can usually see already in the subject line). I happen to have a technical background, but reading the dmarc.org site has my head spinning!

    1. laura says

      http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html is where I’d suggest you go for info about what list managers need to do.

  27. All About DMARC & How it Affects Your Deliverability - Dasheroo says

    […] Also check out this great Word to the Wise breakdown.  […]

  28. Larry says

    I currently forward all my email that is received by another mail server. I use a feature they provide called forwarding email. There is no selecting which email can or cannot be forwards. So when I receive eamail from AOL and try to forward it fails and appears on their end that the email is not delivered. The email has the orginating email address from AOL in the forwarding sending address. How am I to correct this problem.

    1. laura says

      You can’t fix this, it’s a policy decision by AOL and Yahoo! to prevent this kind of forwarding.

  29. Joe says

    Laura, thanks for the great write-up on DMARC. We just ran into this issue with a new feature we rolled out to our members. Your article helped us quickly get to the root cause.

  30. Luke says

    Hi, I use Optus as an ISP. They will not allow you to use a Yahoo SMTP. You must configure the pop to be yahoo and the smtp to be Optus, other the ISP stops the email from being sent. Does this mean that if I continue to do this yahoo will stop my mail?So my ISP stops it without the ISP smtp and yahoo stops with out their smtp, if affect this means I can no longer use yahoo accounts.

  31. Want to Get Your Emails Delivered? Fix This Today | Email Marketing Tips says

    […] you want the technical details, there’s a great post at Word to the Wise about DMARC, what exactly changed, and what it means for […]

  32. Judy Harvey says

    what email do you suggest using to avoid this problem? I am ready to leave Yahoo…

  33. Ja sūti e-pastus no publiskiem domēniem, ievēro DMARC politiku says

    […] izsūti e-pasta kampaņas no privātā domēna un esi ieviesis DMARC politiku savam domēnam, iesaku autentificēt savu domēnu un izsūtīt e-pasta mārketinga […]

  34. If You Send Emails from Public Domains, Agree with the DMARC Policy - Email Marketing Blog | Email Marketing Tips & News| Mailigen says

    […] you send emails from your company domain and have implemented the DMARC policy, we suggest you to authenticate your private domain before sending emails from the Mailigen […]

Comment:

Your email address will not be published. Required fields are marked *

  • Ongoing Yahoo delays

    I've been hearing from folks over the last few days that they're seeing an uptick in deferrals from Yahoo! The deferrals are not uniform. ESPs report they're seeing some, but not all, customers affected. Other ESPs aren't seeing any changes. It's not just you. But it would be very worthwhile to dig into engagement and other stats. It's possible this is a new normal at Yahoo! and they're tightening filters to catch mail that doesn't fit their standards but was previously difficult to filter.No Comments


  • AOL starts using Sender Score Certification

    Good news for Sender Score Certified IPs. Return Path recently announced that AOL has joined the list of ISPs offering preferential treatment to certified IPs.  1 Comment


  • iCloud Service Disruption

    40% of iCloud users were affected this morning during a service disruption between 2:15AM and 9:30AM. Apple System StatusNo Comments


Archives